SAN FRANCISCO -- Deciding to move enterprise data into cloud-computing environments is still a decision fraught with anxiety over security, as well as operational and legal issues, say IT managers, but the prospect of cost savings and ability to "burst" data into the cloud during peak periods is proving irresistible.

That was the sentiment expressed by IT and security managers in both government and the private sector at last week's RSA Conference 2011. "We're shifting the government from asset ownership," said Vivek Kundra, the federal government's chief information officer.

Kundra said it requires years and huge capital expense to build a data center -- the government has 2,000-plus -- but the plan is to start shifting to cloud-computing environments. The 2012 budget calls for a dramatic shift to the cloud. "Of the $80 billion we spend each year, $20 billon of that can actually move to the cloud," he said, adding that the plan is to shut down 800 data centers by 2015.

Some agencies already have what he called "early adopter" experience, including the General Services Administration in cloud-based e-mail, migrating 17,000 users to Google Apps. The Agriculture Department is moving onto the Microsoft Azure platform for $27 million in savings, he added. And he expects there to be a number of enterprise procurements for infrastructure as a service announced soon.

But obstacles remain. The ideal would be to reach a point where agencies have "security dashboards" to get needed information, Kundra said. There should be standards supporting interoperability and portability. "It's important to make sure we aren't in vendor lock-in."

Those concerns are shared by IT and security managers in private industry.

One reason cloud-based computing is problematic is that there's uncertainty where corporate data might be at any given moment in a cloud environment, noted Nuala Kelly, chief privacy leader at GE, who spoke at an RSA panel related to why there's hesitancy in adopting the cloud.

There's a "little bit of legal collision" the cloud has with U.S. and European data-security laws and regulations that suppose or require that data is stored in more traditional fashion. She acknowledges this legal situation "scares the bejesus out of the corporate lawyers."

To make it worse, cloud service providers also aren't always flexible or transparent.

"The challenge is one of transparency," Kelly said, as well as being able to overcome "operational legal issues." The issue of intellectual property theft is a big worry. Kelly said GE has had some limited experience in cloud computing with vendors she preferred not to name, and is keeping up discussions with cloud-service providers to assess the possibilities. She said GE and eBay are insisting that the privacy rules they want must apply.

"Two to three years ago there weren't really mature offerings," she says, but she now senses a much better outlook in the cloud market. And the European Union has begun to re-think its data protection rules, which could lead to more flexibility on data-transfer restrictions, but that will probably take some time. But some types of data, such as national-security data that companies like GE have, simply aren't candidates for the public cloud, she adds.

It's clear many IT professionals looking into international cloud-computing options are getting the feeling, warranted for not, that countries apply restrictions on cross-border data flows simply for economic reasons to keep data-computing in their countries. But at any rate, Jim Reavis, co-founder and director of the Cloud Security Alliance, who also spoke at an RSA session, acknowledged that the legal concerns related to international cloud computing across country borders are substantial.

Sensitive data that falls under the Payment Card Industry (PCI) requirements are often debated due to worries about litigation, and many U.S. and European laws act to discourage data-sharing across country boundaries, he noted.

"The Patriot Act comes up over and over again," he said. "The long reach of Uncle Sam is giving a chilling effect on cloud from a legal perspective." This can apply just to the question of data backup. International restrictions applied under law about data transfer are slowing cloud adoption and leaving IT managers sometimes resigned to sticking to the traditional hosted model, he said.

But the appeal of the dual private cloud and public cloud combo is huge, said Dave Cullinane, chief information security officer at eBay, who joined Kelly on the panel at RSA.

Cullinane, a co-founder of the Cloud Security Alliance, says eBay has become an adopter of cloud-computing and uses the Microsoft Azure cloud operating system, which has been out for a year now.

EBay has taken the approach of building a private cloud based on Azure that can be extended when a burst of additional capacity is needed into Microsoft's Azure-based data centers. "It's a private cloud, but we can also run it at Microsoft," said Cullinane.

EBay might go along at a certain pace from March through August but after that, especially as the holiday season starts, eBay's site visits and processing needs spike upward radically, he said. At that point, eBay can "burst capacity into Microsoft's data center." The alternative would be building a data center at huge cost. For eBay, which operates in many countries around the world, cloud computing is viewed as a good approach. Cullinane says eBay is saving $90 million per year in electricity costs alone.

But even as the prospect -- or for the federal government, the mandate -- for cloud computing takes shape, sorting out what are seen as the legal and operational pitfalls to actual deployment is a daunting task.

Many of the federal government's applications simply aren't ready for the cloud yet, said Tim Grance, director of the systems and network security group at the National Institute of Standards and Technology (NIST), also on the RSA panel. While migrating to a public-facing e-mail service could be done now, other applications are going to need to be changed to make the cloud work, he pointed out. And security concerns are certainly likely to hold back some public cloud adoption. "If it's a hugely critical app, you might not want to do it," he said. The Defense Department likely has the basis to run its own private cloud.

Management at some companies is flat-out rejecting cloud-based computing. Some are being told "why do you need this" after building a very high-speed network, according to representative from a company which provides financial information, who asked to remain unidentified. There, requests to try cloud-based services are rejected again and again.

The security controls around governance and regulatory reporting are not viewed as easily available in cloud-computing environments today. But last week, there were indications that vendors are taking notice that this is a vacuum to be filled and announced efforts to come up with large-scale governance and risk-management platforms for service providers. Symantec announced its own effort, dubbed O3, and VMware and RSA, both part of EMC, announced something they call "Project Horizon." Neither project, though, came with specific deadlines for product availability.